DNSSEC validation in CentOS Stream 9
Carsten Strotmann
carsten at strotmann.de
Thu Sep 8 07:20:46 UTC 2022
Hello Josef,
On 8 Sep 2022, at 8:42, Josef Vybíhal via Unbound-users wrote:
> Hello everyone,
> maybe this will be obvious to some, but I have been scratching my head
> about this since yesterday.
>
> In CentOS Stream 9, when unbound installed from Appstream, I see that
> unbound returns insecure replies to clients. Which is not what I want,
> nor what I am used to. I am thinking this might be a packaging bug,
> compile option or config setting, but I can not figure out which and
> where. I am testing with untouched rpm package config.
>
>
> CentOS Stream 9 example:
> [root at 18 ~]# dig sigfail.verteiltesysteme.net @127.1 +short
> 134.91.78.139
> [root at 18 ~]# unbound-host -C /etc/unbound/unbound.conf -v
[...]
> sigok.verteiltesysteme.net has address 134.91.78.139 (insecure)
> sigok.verteiltesysteme.net has IPv6 address 2001:638:501:8efc::139 (insecure)
> sigok.verteiltesysteme.net has no mail handler record (insecure)
> [root at 18 ~]# unbound -V
> Version 1.16.2
Red Hat removed (almost all) SHA1 support from RHEL 9 (including CentOS), which makes DNSSEC zones signed with RSASHA1 treated as insecure:
<https://access.redhat.com/solutions/6955455>
This affects the Red Hat build versions of Unbound and BIND 9 (as a resolver).
SHA1 for DNSSEC use is on its path to be deprecated <https://www.ietf.org/archive/id/draft-hardaker-dnsop-must-not-sha1-00.html>, but there are still zones that have not migrated to stronger DNSSEC algorithms.
See the discussion on this mailing list for some background <https://lists.nlnetlabs.nl/pipermail/unbound-users/2022-April/007709.html>
Greetings
Carsten
More information about the Unbound-users
mailing list